Thousands of flights take off daily and millions of people travel around the world through these flights. All travel agencies are using Global Distribution System (GDS) to book flights. A Global Distribution System (GDS) is an online network which allows travel agencies and people to book flights. A shocking fact about these GDSs has been discovered by two security researchers at Security Research Labs (a Berlin-Based Security Firm) after spending months on the investigation. The names of these security researchers are "Nemanja Nikodijevic and Karsten Nohl". The GDSs used by flight booking agencies are not secured. The operators of GDSs are not using any of the modern authentication technique for the security. It allows attackers to modify any random flight bookings.

The Role of GDS in Flight Booking

The Global Distribution System is a database which holds all the information of traveler. It includes Full Name of traveler, details of Tickets, Email Addresses, Contact Numbers, Date of Travelling, Seat Numbers, Passport Information, Luggage Information and the most sensitive information of Credit Cards. After storing all the above information, the GDS generates PNRs (Passenger Name Records).

There are three major (Travelport, Sabre, and Amadeus) GDS operators in the world. All these three GDSs have been used by the travel agencies, people, and many other third party travel websites to generate PNRs for travelers. The databases of these GDSs are storing information of millions of travelers daily. To access this stored information, the last name of traveler and a booking code is required.

The Security Mistakes of GDSs

After spending months on the investigation, both security researchers (Nemanja Nikodijevic and Karsten Nohl) revealed their findings in Hamburg’s 33rd CCC (Chaos Communication Congress). All the security loopholes are as given below:

1. The number of GDS access points is very high. The websites of travel agencies, airlines, and third party travel booking brokers contain these access points. The security level of these access points is very low. If a booking contains multiple flights from different airlines, it could be accessed from the website of any airline.

2. To access the PNRs, there is need of traveler’s last name a six digit booking number. The attackers could easily make a list of popular last names by spending some time on the internet. If we talk about flight booking numbers, the attackers could easily get these booking numbers from luggage tags. Most of the travelers throw away these luggage tags after their flights. The airlines are also printing these booking numbers on the air tickets in the form of QR Codes. Moreover, it is the era of social media and people are posting all the things on social media. The travelers are also posting the photographs of their tickets on social media. The attackers could decrypt this QR code very easily.

3. The GDSs don’t have wrong input limits. It allows attackers to perform brute-force attacks to guess the booking numbers and popular last names.

4. According to the security researchers, the databases of GDSs are not generating logs. It is impossible to track, who has accessed the information. It means the investigators can’t trace footprints of attackers even after a data breach.

5. The databases of GDSs are accepting only uppercase letters. The numeric values “1” and “0” are prohibited to avoid the confusion of travelers between “1 or I” and “0 or O”. This security flaw is also reducing the number of possible codes for attackers.

6. Apart from all the above security mistakes, the travel agencies are using very weak master passwords to access the databases. In a case, the security researchers showed that the password was “WS”. A normal brute force attack can find out these type of passwords within a minute.

What Attackers Can Do?

1.The attackers can Modify Reservations of people.

2. The attackers can cancel flights of people.

3.The attackers can use refunded money to book their flights.

4.The attackers could gain the reward miles of long-haul
flights by changing modifying their flight information. The fact is, this trick
has already being used by the intruders.

5.By stealing personal information of travelers, the attacker
can send them phishing emails. They can steal payment card information of
travelers by saying that their previous flight booking transaction has been
canceled.